Chance dis­cov­ery foiled cy­ber­at­tack


LON­DON — The cy­ber­at­tack that spread ma­li­cious soft­ware around the world, shut­ting down net­works at hos­pi­tals, banks and govern­ment agen­cies, was thwarted by a young Bri­tish re­searcher and an in­ex­pen­sive do­main reg­is­tra­tion, with help from an­other young se­cu­rity en­gi­neer in the United States.

Britain’s Na­tional Cy­ber Se­cu­rity Cen­tre and oth­ers were hail­ing the cy­ber­se­cu­rity re­searcher, a 22-yearold iden­ti­fied on­line only as Mal­wareTech, who — un­in­ten­tion­ally at first — dis­cov­ered a so-called “kill switch” that halted the un­prece­dented out­break.

By then the “ran­somware” at­tack had crip­pled Britain’s hospi­tal net­work and com­puter sys­tems in sev­eral coun­tries in an ef­fort to ex­tort money from com­puter users.

But the re­searcher’s ac­tions may have saved com­pa­nies and gov­ern­ments mil­lions of dol­lars and slowed the out­break be­fore com­put­ers in the United States were more widely af­fected.

Mal­wareTech, who works for cy­ber­se­cu­rity firm Kryp­tos Logic, is part of a large global cy­ber­se­cu­rity com­mu­nity who are con­stantly watch­ing for at­tacks and work­ing to­gether to stop or pre­vent them, of­ten shar­ing in­for­ma­tion via Twit­ter. It’s not un­com­mon for them to use aliases, ei­ther to pro­tect them­selves from re­tal­ia­tory at­tacks or for pri­vacy.

In a blog post Satur­day, Mal­wareTech ex­plained he learned on Fri­day that net­works across Britain’s health sys­tem had been hit by ran­somware, tip­ping him off that “this was some­thing big.”

He be­gan an­a­lyz­ing a sam­ple of the ma­li­cious soft­ware and no­ticed its code in­cluded a hid­den web ad­dress that wasn’t reg­is­tered. He said he “promptly” reg­is­tered the do­main, some­thing he reg­u­larly does to try to dis­cover ways to track or stop ma­li­cious soft­ware.

Across an ocean, Darien Huss, a 28-year-old re­search en­gi­neer for the cy­ber­se­cu­rity firm Proof­point, was do­ing his own anal­y­sis. The west­ern Michi­gan res­i­dent said he no­ticed the au­thors of the mal­ware had left in a fea­ture known as a kill switch. Huss took a screen shot of his dis­cov­ery and shared it on Twit­ter.

Soon he and Mal­wareTech were com­mu­ni­cat­ing about what they’d found: That reg­is­ter­ing the do­main name and redi­rect­ing the at­tacks to the server of Kryp­tos Logic had ac­ti­vated the kill switch, halt­ing the ran­somware’s in­fec­tions.

Both said they were con­cerned the au­thors of the mal­ware could re-re­lease it with­out a kill switch or with a bet­ter one, or that copy­cats could mimic the at­tack.

Who per­pe­trated this wave of at­tacks re­mains un­known.

This is al­ready be­lieved to be the big­gest on­line ex­tor­tion at­tack ever recorded, dis­rupt­ing ser­vices in na­tions as di­verse as the U.S., Rus­sia, Ukraine, Brazil, Spain and In­dia.

Europol, Europe’s polic­ing agency, called the at­tack un­prece­dented and said com­put­ers in more than 150 coun­tries have been af­fected. Two se­cu­rity firms — Kasper­sky Lab and Avast — said Rus­sia was hit hard­est.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.